Risk Management Vendor

SAMUEL MUNDAME

***** ******** ***** ****

Fulshear TX

832-***-****

************@*****.***

PROFILE SUMMARY

Qualified professional with over 8 years of experience in Vendor Risk Management and IT Compliance Analysis, specializing in governance, risk, security assessment, and authorization. Skilled in policies and procedures, monitoring, and strategy development. Possesses excellent written communication and documentation skills. Experienced in IT audit, risk evaluation, and governance. Expertise in information system security, cybersecurity, risk assessment, testing IT controls, and developing procedures and guidelines based on ISO 27001 and NIST CSF. Proficient in security compliance with NIST 800 series, HIPAA, CCPA, GDPR, PCI DSS, and Third-Party Risk Management. Demonstrates an excellent ability to adapt in a dynamic environment, with a strong commitment to teamwork and service.

EXPERTISE AND QUALIFICATION

•Create and maintain standards required for protecting information systems.

•Analyze vendor risk assessment questionnaires, support vendor on-boarding, manage due diligence document collection, assist with contract negotiations, and manage all required ongoing monitoring efforts.

•Maintain clear ownership and daily accountability of TPRM security operational processes and technology.

•Review and ensure the service described on the SOC2 report aligns with what is provided by the service organization.

•Performing risk assessments utilizing the NIST cyber security Framework, ISO, COSO, ITIL, IT Governance (COBIT) and the NIST 800 CSF.

•Assess, identify & evaluate the risks and controls over financial and operational processes, systems development, change management, IT vendor management, access management, data integrity, information security, disaster recovery, and infrastructure management.

•Identify, monitor, and track third party risk indicators, including incidents and issues requirement remediation, assess the ongoing risk exposure and potential impacts.

•Collaborate with internal subject matter experts to ensure due diligence questionnaires are reviewed in a timely manner.

•Manage third party's lifecycle from onboarding to off boarding, ensuring adherence to contractual terms, service level agreements (SLAs), and performance metrics.

•Perform risk assessments and develop mitigation strategies for identified risks.

•Maintain a risk register and track the status of risk mitigation efforts.

Work Experience

OXY – IT Governance Risk & Compliance Specialist

Dec 2024 - Present.

Demonstrate strong understanding of Third Party Risk Management (TPRM) program and associated governance oversight including Issues management.

Significantly improve and mature Corporate ICS security standard and internal practice.

Perform security and compliance assessments on new and existing systems, processes and technology.

Perform periodic gap assessments to validate compliance on an ongoing basis.

Support internal and external audit process for relevant compliance concerns including PCI-DSS, SOX, and GDPR.

Coordinate external audits and evidence collection related to SOC2, ISO27001, ISO27701, and other future frameworks.

Document and assess the effectiveness of ITGC controls and evaluate IT management's remediation action plans and track remediation efforts.

Manage internal controls repository (Audit Board), ensuring it is up to date with control design and testing documentation.

Extensive experience working with IT compliance frameworks, NIST CSF, COBIT, ITIL, and ISO 27000 series.

Facilitate the review of contracts documents (MSA, NDA, Data Processing amendments, etc.)

Manage and conduct security assessment of third parties, incident management track and report third party risk identified through due diligence.

Documents and creates Identified issues in ServiceNow and collaborates with internal business partners or department to drive risks remediation.

Manage third party's lifecycles from onboarding to off boarding, ensuring adherence to contractual terms, service level agreements (SLAs), and performance metrics.

Perform due diligence on prospective vendors, evaluating their security practices, incident response plans, and compliance with relevant regulations (e.g., HIPAA, General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and PIPEDA etc.

Analyze vendor submissions of ISO 27001/SOC2/PCI and Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ) in identifying and deriving Residual risk.

Provide metrics reporting of third-party risk assessments to executive audiences and assist with creation of material to enable this reporting.

Work closely with internal teams (e.g., IT, Privacy, Legal, Operations, the Business, etc.) to ensure compliance efforts are aligned with overall organizational goals.

Build strong partnerships with business and IT owners to coordinate remediation activities, develop and assist in executing remediation plans

Caterpillar – Latitude 36 Nashville

Cyber Risk & Compliance Specialist –Third Party Risk Management

OCT. 2020 - DEC. 2024

Manage vendor lifecycle phases from planning, onboarding, ongoing monitoring, risk assessments, oversight monitoring and termination.

Perform assessments of third-party service providers to identify potential security and privacy risks and to ensure that our vendors comply with relevant internal policies and regulations in alignment with NIST standards and compliance framework.

Contribute to conducting regular risk assessments and internal audits to evaluate adherence to security and privacy frameworks such as GDPR, HIPAA, PIPEDA and CCPA. Create and manage compliance programs for frameworks including HITRUST, SOC 2, NIST 800-53 and ISO 27001.

Conduct risk assessments on internal systems, third-party vendors, applications, and infrastructure

Facilitate risk and control assessments in partnership with various business areas to ensure thorough evaluation of potential risks.

Map and document control ownership and responsibilities using enterprise GRC tools.

Conduct risk assessments of new and existing third parties, evaluating and identifying potential risk factors related to information security, data privacy, regulatory compliance, business resiliency, operational resilience, and other relevant areas of compliance with regulatory requirements.

Support implementing and maintaining ISO 27001 & SOC2 compliance programs, conducting assessments, identifying potential vulnerabilities, and ensuring adherence to these standards by documenting findings, recommendations, remediation steps, and track progress on corrective actions.

Analyze vulnerability scans, penetration test results, and incident reports to assess risk impact.

Assist in the execution of GRC initiatives, such as security attestations (PCI, SOC 2, ISO 27001), and vendor risk management. Works with business partners across the company to ensure compliance with privacy laws, regulations and provide guidance.

Perform internal and external control assessments to identify and mitigate gaps.

Manage the end-to-end audit coordination process within ServiceNow, ensuring timely and accurate responses to audit requests.

Experience reviewing and understanding legal documents and contracts (MSA, NDA, amendments, etc.)

Prepared detail executive reports related to supplier risk management, providing insights and recommendations to leadership.

Stay up-to-date with emerging security threats and industry best practices to enhance the effectiveness of risk mitigation strategies.

Advise internal teams on security and privacy best practices, fostering a strong culture of compliance within the organization.

Establish and maintain Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for the Third-Party Risk Management Program and initiatives.

Maintain alignment to technology governance and control frameworks such as PCI, SOX, ISO 27001/2, COBIT, ITIL, HIPPA, GDPR, CCPA, and NIST SP, implementing where appropriate.

Maintain clear ownership and daily accountability of TPRM security operational processes and technology.

COSTCO WHOLESALE – Washington State.

Compliance Specialist: - Governance Risk and Compliance DEC. 2018 - OCT. 2020

•Perform qualitative and quantitative risk analysis for systems, applications, business processes, vendors, and organizational changes.

•Leads and executes security/privacy vendor risk assessments and risk remediation activities to effectively identify and help treat critical risks.

• Ensure compliance with applicable laws, regulations, policies, and procedures.

•Resolves issues, clears exceptions, or escalates as appropriate

•Documents and communicates findings to the business and third-parties.

•Identifies controls deficiencies and recommends control enhancements to address critical risks. Demonstrate ability to analyze ISO 27001, SOC 2, SIG, CAIQ and familiarity with security frameworks such as NIST 800-53, CSF, financial services related regulatory guidance / laws such as GLBA, FFIEC and international regulations such as GDPR.

•Document, track, and follow-up on security-related findings (e.g. non-compliance with security policies, track and report on privacy and security awareness training, maintaining risk register).

•Ensures the accuracy, compliance, and completeness of required documentation.

•Ensure all new vendor engagements that involve the vendor handling, processing, storing, or accessing sensitive information are reviewed to provide assurance the vendor has appropriate controls in place to protect information prior to the business signing a contract.

• Acts as a resource to less experienced associates, providing training and expertise for complex issues

•Also review contracts with third-party vendors to ensure that appropriate security clauses and indemnification provisions are in place.

•Coordinate external audits and evidence collection related to SOC2, ISO27001, ISO27701, and other future frameworks.

•Works closely with Information Security Management, Accounting, Legal, and internal/external auditors to ensure successful follow-through and completion of compliance and mitigation activities.

•Recommend and implement process improvements to optimize vendor management and enhance operational efficiency

•Create and update risk register to track and respond to risk events in deriving Residual risk.

•Educate employees on the importance of third-party risk management and provide training on how to identify and report potential security threats.

Campbell Soup Company – New York

IT Risk Analyst -Third party Vendor Risk Management SEPT. 2017 – DEC. 2018.

•Manage and conduct security assessment of third parties, incident management track and report third party risk identified through due diligence

•Conduct thorough risk assessments of third-party vendors to identify potential cyber security and compliance risks.

• Perform due diligence on prospective vendors, evaluating their security practices, incident response plans, and compliance with relevant regulations (e.g., HIPAA, General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), etc.).

•Work closely with internal teams (e.g., IT, Privacy, Legal, Operations, the Business, etc.) to ensure compliance efforts are aligned with overall organizational goals.

•Demonstrate strong understanding of Third Party Risk Management (TPRM) program and associated governance oversight including Issues management.

•Conduct gap analyses; provide recommendations for improvement and automation, in support of integrated risk management (IRM) GRC technology solutions.

•Guide team members on approach and steps for finalizing control population, sampling, re-testing, exception reporting, and tracking requirements.

•Enforce the Implement of Single Sign-On (SSO) solutions to enhance user authentication processes

•Perform risk assessments of new/existing technologies, data processing, policy exceptions and non-compliant third Party Vendors.

•Experienced working with business partners and vendors to evaluate and identify compliance and privacy needs for enterprise systems and processes to align with compliance frameworks such as PCI, HIPAA, SOX, SOC2, ISO, GRC and GDPR, NIST.

EDUCATION:

Bachelor in Cyber Security & Information Assurance (AIU)

HOUSTON, Texas.

CERTIFICATIONS

CCSK Certified, AWS Associate-Developer, Scrum Master, Security+ & CRISC Certified, CISA

Control Tools & Utilities: Nessus Vulnerability Scanner, McAfee, Splunk, Nexpose, Microsoft Outlook, O365, Onetrust, ServiceNOW GRC, Process Unity, Bitsight, Security Scorecard, Ariba, Audit board, SharePoint & Teams

HIGHLIGHT:

Performance Improvement

Leadership Skills

Problem Solving

Communication Skills

Information Gathering

Interpersonal Skills

Team Management

Attention to Details

Contact this candidate